MNR S2500 Security Policy
Version 1.3, Revision Date: 1/13/2009
Page 12
Definition of Critical Security Parameters (CSPs)
The following CSPs are contained within the module:
Key Description/Usage
KEK This is the master key that encrypts persistent CSPs stored within the module.
KEK-protected keys include PSK and passwords.
Encryption of keys uses AES128ECB
IKE Preshared Keys
Used to authenticate peer to peer during IKE session
SKEYID Generated for IKE Phase 1 by hashing preshared keys with responder/receiver
nonce
SKEYID_d Phase 1 key used to derive keying material for IKE SAs
SKEYID_a Key used for integrity and authentication of the phase 1 exchange
SKEYID_e Key used for TDES or AES data encryption of phase 1 exchange
Ephemeral DH Phase-1
private key (a)
Generated for IKE Phase 1 key establishment
Ephemeral DH Phase-2
private key (a)
Phase 2 Diffie Hellman private keys used in PFS for key renewal
IPSEC Session keys 128/192/256-bit AES-CBC and 168-bit TDES keys are used to encrypt and
authenticate IPSEC ESP packets
FRF.17 Session Keys 168-bit TDES-CBC and 128/192/256-bit AES-CBC keys are used to encrypt
and authenticate FRF.17 Mode 2
SSH-RSA Private Key Key used to authenticate oneself to peer
SSH-DSA Private Key Key used to authenticate oneself to peer
SSH Session Keys 168-bit TDES-CBC and 128/192/256-bit AES-CBC keys are used to encrypt
and authenticate SSH packets
SSH DH Private Key Generated for SSH key establishment
RNG Seed Initial seed for FIPS-approved deterministic RNG
Network Manager Password
(Root)
7 (to 15 ) character password used to authenticate to the CO Role
(Crypto
Officer
)
User(Admin) 7 (to 15) character password used to authenticate to the User Role
User Accounts 7 (to 15) character password used to authenticate accounts created on the
module
Table 8 – Critical Security Parameters (CSPs)
To Next Page
Loading...
